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ABSTRACT 

Database  systems  for  real-time  applications  must  satisfy 
timing  constraints  associated  with  transactions,  while 
maintaining  data  consistency.  In  addition  to  real-time 
requirements,  security  is  usually  required  in  many  applica¬ 
tions.  Multilevel  security  requirements  introduce  a  new 
dimension  to  transaction  processing  in  real-time  database 
systems.  In  this  paper,  we  argue  that  because  of  the  com¬ 
plexities  involved,  trade-offs  need  to  be  made  between 
security  and  timeliness.  We  briefly  present  the  secure  two- 
phase  locking  protocol  and  discuss  an  adaptive  method  to 
support  trading  off  security  for  timeliness,  depending  on 
the  current  state  of  the  system.  The  performance  of  the 
adaptive  secure  two-phase  locking  protocol  shows 
improved  timeliness.  We  also  discuss  future  research 
direction  to  improve  timeliness  of  secure  database  sys¬ 
tems. 

1.  Introduction 

Database  security  is  concerned  with  the  ability  of  a 
database  management  system  to  enforce  a  security  policy 
governing  the  disclosure,  modification  or  destruction  of 
information.  Many  secure  database  systems  use  an  access 
control  mechanism  based  on  the  Bell-LaPadula  model 
[Bell  76].  This  model  is  stated  in  terms  of  subjects  and 
objects.  An  object  can  be  a  data  file,  record  or  a  field 
within  a  record.  A  subject  is  an  active  process  that  requests 
access  to  objects.  Every  object  is  assigned  a  classification 
and  every  subject  a  clearance.  Classifications  and  clear¬ 
ances  are  collectively  referred  to  as  security  classes  (or 
levels)  and  they  are  partially  ordered.  The  Bell-LaPadula 
model  imposes  the  following  restrictions  on  all  data 
accesses: 

a)  Simple  Security  Property:  A  subject  is  allowed  read 
access  to  an  object  only  if  the  former’s  clearance  is  identi¬ 
cal  to  or  higher  (in  the  partial  order)  than  the  latter’s  classi¬ 
fication. 

b)  The  ^-Property:  A  subject  is  allowed  write  access  to  an 
object  only  if  the  former’s  clearance  is  identical  to  or  lower 
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than  the  latter’s  classification. 

Database  systems  that  support  the  Bell-LaPadula  prop¬ 
erties  are  called  multilevel  secure  database  systems  (MLS/ 
DBMS).  The  Bell-LaPadula  model  prevents  direct  flow  of 
information  from  a  higher  access  class  to  a  lower  access 
class,  but  the  conditions  are  not  sufficient  to  ensure  that 
security  is  not  violated  indirectly  through  what  are  known 
as  covert  channels  [Lamp  73].  A  covert  channel  allows 
indirect  transfer  of  information  from  a  subject  at  a  higher 
access  class  to  a  subject  at  a  lower  access  class.  An  impor¬ 
tant  class  of  covert  channels  that  are  usually  associated 
with  concurrency  control  mechanisms  are  timing  channels. 
A  timing  channel  arises  when  a  resource  or  object  in  the 
database  is  shared  between  subjects  with  different  access 
classes.  The  two  subjects  can  cooperate  with  each  other  to 
transfer  information. 

A  real-time  database  management  system  is  a  transac¬ 
tion  processing  system  where  some  transactions  have 
explicit  timing  constraints  [Son  95b].  Typically  a  timing 
constraint  is  expressed  in  the  form  of  a  deadline,  a  certain 
time  in  the  future  by  which  a  transaction  needs  to  be  com¬ 
pleted.  As  advanced  database  systems  are  being  used  in 
applications  which  need  to  support  timeliness  while  man¬ 
aging  sensitive  information,  one  cannot  avoid  the  need  for 
integrating  real-time  data  processing  techniques  into  MLS/ 
DBMSs.  Lor  certain  applications  in  which  absolute  secu¬ 
rity  is  required  for  safety-critical  operations,  any  trade-offs 
of  security  for  timeliness  cannot  be  allowed.  The  approach 
presented  in  this  paper  is  not  intended  to  cover  such  appli¬ 
cations. 

Concurrency  control  is  used  in  databases  to  manage  the 
concurrent  execution  of  operations  by  different  subjects  on 
the  same  data  object  such  that  consistency  is  maintained 
[Bern  87].  In  multilevel  secure  databases,  there  is  the  addi¬ 
tional  problem  of  maintaining  consistency  without  intro¬ 
ducing  covert  channels.  Lor  a  more  detailed  description  of 
and  a  possible  solution  to  the  problem  of  concurrency  con¬ 
trol  in  secure  databases,  the  reader  is  referred  to  [Dav  93], 
[Thur  93].  In  this  paper,  we  discuss  the  additional  issues 
that  arise  when  transactions  in  a  secure  database  have  tim¬ 
ing  constraints  associated  with  them.  We  first  review 
related  work  in  secure  concurrency  control,  and  discuss  the 
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problems  associated  with  time-constrained  secure  concur¬ 
rency  control.  An  adaptive  method  by  which  security 
requirements  can  be  partially  compromised  for  improved 
timeliness  is  then  presented. 

2.  Background 

Covert  channel  analysis  and  removal  is  one  of  the 
important  issues  in  multilevel  secure  concurrency  control. 
The  notion  of  non-interference  has  been  proposed  [Gogu 
82]  as  a  simple  and  intuitively  satisfying  definition  of  what 
it  means  for  a  system  to  be  secure.  The  property  of  non¬ 
interference  states  that  the  output  as  seen  by  a  subject  must 
be  unaffected  by  the  inputs  of  another  subject  at  a  higher 
access  class.  This  means  that  a  subject  at  a  lower  access 
class  should  not  be  able  to  distinguish  between  the  outputs 
from  the  system  in  response  to  an  input  sequence  including 
actions  from  a  higher  level  subject  and  an  input  sequence 
in  which  all  inputs  at  a  higher  access  class  have  been 
removed.  An  extensive  analysis  of  the  possible  covert 
channels  and  the  necessary  and  sufficient  conditions  for  a 
secure,  interference-free  scheduler  are  given  in  [Keef  90]. 

Locking  will  fail  in  a  secure  database  because  the  secu¬ 
rity  properties  prevent  actions  in  a  transaction  T;  at  a 
higher  access  class  from  delaying  actions  in  a  transaction 
7’2  at  a  lower  access  class  (e.g.  when  T2  requests  a  conflict¬ 
ing  lock  on  a  data  item  on  which  T j  holds  a  lock).  Times¬ 
tamp  ordering  fails  for  similar  reasons,  with  timestamps 
taking  the  role  of  locks,  since  a  transaction  at  a  higher 
access  class  cannot  cause  the  aborting  of  another  transac¬ 
tion  at  a  lower  access  class.  Locking  and  timestamping 
techniques  can  be  adapted  for  MLS/DBMSs. 

Optimistic  concurrency  control  for  a  secure  database 
can  be  made  to  work  by  ensuring  that  whenever  a  conflict 
is  detected  between  a  transaction  T/j  at  a  higher  access 
class  in  its  validation  phase  and  a  transaction  T;  at  a  lower 
access  class,  the  transaction  at  the  higher  access  class  is 
aborted,  while  the  transaction  at  the  lower  access  class  is 
not  affected.  A  major  problem  with  using  optimistic  con¬ 
currency  control  is  the  possible  starvation  of  higher-level 
transactions.  For  example,  consider  a  long-running  trans¬ 
action  Tj,  that  must  read  several  lower-level  data  items 
before  the  validation  stage.  In  this  case,  there  is  a  high 
probability  of  conflict  and  as  a  result,  7),  may  have  to  be 
rolled  back  and  restarted  an  indefinite  number  of  times. 

A  secure  version  of  the  MVTO  scheduler  is  presented 
in  [Keef  90b].  The  difference  between  Basic  MVTO  and 
Secure  MVTO  is  that  Secure  MVTO  will  sometimes 
assign  a  new  transaction  a  timestamp  that  is  earlier  than  the 
current  timestamp.  This  effectively  moves  the  transaction 
into  the  past  with  respect  to  active  transactions.  This 
method  has  the  drawback  that  transactions  at  a  higher 
access  class  are  forced  to  read  arbitrarily  old  values  from 
the  database  due  to  the  timestamp  assignment.  This  prob¬ 


lem  can  be  especially  serious  if  most  of  the  lower  level 
transactions  are  long  running  transactions.  Alternative 
approach  is  to  make  higher  access  class  transaction  wait 
until  all  transactions  that  are  lower  and  have  arrived  ear¬ 
lier  finish  their  execution  [Jajo  92]. 

3.  Supporting  Security  and  Timeliness 

There  are  several  papers  that  have  explored  approaches 
to  extend  conventional  databases  for  time-critical  applica¬ 
tions  [Abbo  92],  [Hari  90],  [Lee96],  [Sha  91],  [Son  92]. 
The  problem  arises  when  these  approaches  are  applied  to 
secure  databases,  because  covert  channels  can  be  intro¬ 
duced  by  priority  based  scheduling.  All  existing  real-time 
systems  schedule  transactions  based  on  some  priority 
scheme.  The  priority  usually  reflects  how  close  the  trans¬ 
action  is  to  missing  its  deadline.  Priority-based  scheduling 
of  real-time  transactions,  however,  interacts  with  the  prop¬ 
erty  of  non-interference  which  has  to  be  satisfied  for  secu¬ 
rity.  For  example,  consider  the  following  sequence  of 
requests: 

Ti  (SECRET)  :  R(X) 

T2  (UNCLASSIEIED)  :  W(X) 

TjCUNCLASSIEIED)  :  W(X) 

T4(UNCLASSIEIED)  :  R(X) 

Assume  that  Tj,  T2  and  have  priorities  5,  7  and  10 
respectively  and  the  priority  assignment  scheme  is  such 
that  if  priority(T2)  >  priority(Tj),  then  T2  has  greater  criti¬ 
calness  and  has  to  be  scheduled  ahead  of  Tj.  In  the  above 
example,  T2  and  Tj  are  initially  blocked  by  Tj  when  they 
arrive.  When  Tj  completes  execution,  Tj  is  scheduled 
ahead  of  T2,  since  it  has  a  greater  priority  than  T2  and  the 
transaction  execution  order  would  be  Tj  T2  T4.  How¬ 
ever,  if  the  transaction  Ty  is  removed,  the  execution  order 
would  be  T2  T4T4  because  T2  would  have  been  scheduled 
as  soon  as  it  had  arrived.  The  presence  of  the  SECRET 
transaction  T j  thus  changes  the  value  read  by  the 
UNCLASSIEIED  transaction  T4,  which  is  a  violation  of 
value  security.  Eor  the  same  reason  delay  security  is  also 
violated,  because  the  presence  oiTj  delays  T2  with  respect 
toTj. 

Erom  this  example,  it  is  clear  that  priority-based  trans¬ 
action  scheduling  is  not  feasible  for  a  fully  secure  data¬ 
base  system.  It  is  because  in  a  secure  environment,  a 
transaction  at  a  higher  level: 

•  cannot  cause  the  aborting  of  a  transaction  at  a  lower 

access  class.  If  it  is  allowed  to  do  so,  it  is  possible  that  it 
can  control  the  number  of  times  a  lower  level  transac¬ 
tion  is  aborted,  thereby  opening  a  covert  channel. 

•  cannot  conflict  with  a  transaction  at  a  lower  access  class. 

If  such  a  conflict  does  occur,  the  higher  level  transac¬ 
tion  has  to  be  blocked  or  aborted,  not  the  low  level 


transaction. 

•  cannot  be  granted  greater  priority  of  execution  over  a 

transaction  at  a  lower  access  class. 

Therefore,  for  minimizing  deadline  miss  percentage,  we 
take  the  approach  that  partial  security  violations  under  cer¬ 
tain  conditions  are  permissible. 

4.  Secure  Two-Phase  Locking 

Basic  two-phase  locking  does  not  work  for  secure  data¬ 
bases  because  a  transaction  at  a  lower  access  class  (say  Tj) 
cannot  be  blocked  due  to  a  conflicting  lock  held  by  a  trans¬ 
action  at  a  higher  access  class  {T^.  If  Ti  were  somehow 
allowed  to  continue  with  its  execution  in  spite  of  the  con¬ 
flict,  then  non-interference  would  be  satisfied.  We  have 
developed  a  secure  two-phase  locking  protocol  to  solve 
this  problem  [Son  94].  The  basic  principle  behind  the 
secure  two-phase  locking  protocol  is  to  try  to  simulate  exe¬ 
cution  of  Basic  2PL  without  blocking  of  lower  access  class 
transactions  by  higher  access  class  transactions.  Three  dif¬ 
ferent  types  of  locks  are  used  for  this  purpose.  Their 
semantics  are  explained  below: 

1)  Real  Lock  (of  the  form  plfx]):  A  real  lock  is  set  for  an 
action  pfx]  if  no  other  conflicting  action  has  a  real  lock  or 
a  virtual  lock  on  x.  The  semantics  of  this  lock  are  identical 
to  that  of  the  lock  in  basic  two  phase  locking. 

2)  Virtual  Lock  (of  the  form  vplfx]):  A  virtual  lock  vplfx] 
is  set  for  an  action  pfx]  if  a  transaction  at  a  higher  access 
class  holds  a  conflicting  lock  on  x  (pfx]  has  to  be  a  write  to 
satisfy  the  Bell-LaPadula  properties).  The  virtual  lock  is 
non-blocking.  Once  a  virtual  lock  vplfx]  is  set,  pfx]  is 
added  to  queue [x]  and  the  next  action  in  7}  is  ready  for 
scheduling.  When  pfx]  gets  to  the  front  of  the  lock  queue, 
its  virtual  lock  is  upgraded  to  a  real  lock  and  pfx]  is  sub¬ 
mitted  to  the  scheduler.  A  virtual  lock  holding  action 
vplfx]  can  be  superseded  in  the  lock  queue  by  a  conflicting 
action  qj[x]  if  Tj  is  in  before(Tj). 

3)  Dependent  Virtual  Lock  (of  the  form  dvpli[x]):  A  depen¬ 
dent  virtual  lock  is  set  for  an  action  pfx]  (where  p  is  a 
write)  if  a  previous  write  wfy]  in  the  same  transaction 
holds  a  virtual  lock.  An  action  pfx]  which  holds  a  depen¬ 
dent  virtual  lock  with  respect  to  another  action  wfy]  is  not 
allowed  to  set  a  real  lock  or  a  virtual  lock  unless  wfyfs 
virtual  lock  is  upgraded  to  a  real  lock.  The  dependent  lock 
is  non-blocking  and  can  be  superseded  by  a  conflicting 
action  qj[x]  if  Tj  is  before  Tj  in  the  serialization  order. 

A  more  detailed  description  of  the  secure  two-phase 
locking  protocol  is  given  in  [Son  94]. 

5.  An  Adaptive  Security  Policy 

Results  from  performance  analysis  of  Secure  2PL 


exhibit  a  better  response  time  characteristic  than  Secure 
OCC.  Its  operating  region  (the  portion  of  the  curve  before 
the  saturation  point)  is  much  larger  than  that  of  Secure 
OCC.  Further,  staleness  is  not  an  issue  in  Secure  2PL  as 
with  Secure  MVTO.  However,  this  alone  does  not  suffice 
when  timing  constraints  are  present  on  transactions.  In 
Secure  2PL,  transaction  scheduling  order  is  determined 
purely  by  the  order  in  which  transactions  acquire  locks. 
No  conscious  effort  is  made  to  schedule  transactions 
according  to  their  priority,  or  according  to  how  close  a 
transaction  is  to  meeting  its  deadline.  In  a  real-time  data¬ 
base  system  this  is  unacceptable.  Therefore,  security  prop¬ 
erties  may  need  to  be  compromised  to  some  extent  to 
ensure  a  certain  degree  of  deadline  cognizance. 

A  covert  timing  channel  is  opened  between  two  collab¬ 
orating  transactions  -  one  at  a  higher  access  class  and  the 
other  at  a  lower  access  class  -  if  the  higher  access  class 
transaction  can  influence  the  delay  seen  by  a  lower  access 
class  transaction.  The  bandwidth  of  a  covert  channel  is  a 
measure  of  how  easy  it  is  for  the  higher  access  class  trans¬ 
action  to  control  the  delay  seen  by  the  lower  access  class 
transaction.  If  there  is  a  great  degree  of  randomness  in  the 
system,  i.e.,  an  indeterminate  number  of  transactions 
could  be  affecting  the  delay  that  the  higher  access  class 
transactions  wants  a  lower  access  class  transaction  to 
experience,  then  the  bandwidth  is  low.  On  the  other  hand, 
if  the  higher  access  class  transaction  knows  that  the  lower 
access  class  transaction  to  which  it  wants  to  transmit 
information  is  the  only  other  transaction  in  the  system, 
then  the  bandwidth  is  infinite.  Therefore,  when  security 
has  to  be  sacrificed,  a  policy  that  keeps  the  bandwidth  of 
the  resulting  covert  channel  to  a  minimum  is  desirable.  To 
ensure  this,  the  security  policy  has  to  be  adaptive,  i.e., 
determining  whether  security  is  to  be  violated  or  not  when 
a  conflict  arises  should  depend  on  the  current  state  of  the 
system  and  not  on  a  static,  predecided  property. 

Our  adaptive  policy  to  resolve  conflicts  between  lock 
holding  and  lock  requesting  transactions  is  based  on  past 
execution  history.  Whenever  a  transaction  Tj  requests  a 
lock  on  a  data  item  x  on  which  another  transaction  T2 
holds  a  conflicting  lock,  there  are  two  possible  options: 

-  Tj  could  be  blocked  until  T2  releases  the  lock. 

-  T2  could  be  aborted  and  the  lock  granted  to  Tj. 

If  Tj  were  at  a  higher  security  level  than  T2,  the  latter 
option  would  be  a  violation  of  security.  However,  if  T  j  has 
greater  priority  than  T2,  then  the  latter  option  would  be  the 
option  taken  by  a  real-time  concurrency  control  approach. 
In  our  approach,  we  strike  a  balance  between  these  two 
conflicting  options  by  looking  up  past  history.  A  measure 
of  the  degree  to  which  security  has  been  violated  in  the 
past  is  calculated.  A  similar  measure  of  the  degree  to 


which  the  real-time  constraints  have  not  been  satished  can 
be  obtained  from  the  number  of  deadlines  missed  in  the 
past.  These  two  measures  are  compared  and  depending  on 
which  value  is  greater,  either  the  security  properties  are 
satished  or  the  higher  priority  transaction  is  given  the  right 
to  execute. 

The  two  factors  that  are  used  to  resolve  a  conhict  are: 

-  Security  Factor  (SF): 

(number  of  conhicts  for  which  security  is  maintained/ 
total  number  of  conhicts)  *  difference  in  security  level 
between  the  two  conhicting  transactions. 

-  Deadline  Miss  Factor  (DMF): 

number  of  transactions  that  missed  their  deadline/total 
number  of  transactions  committed 

Two  factors  are  involved  in  the  calculation  of  SF.  The 
hrst  factor  is  the  degree  to  which  security  has  been  satis¬ 
hed  in  the  past,  measured  by  the  number  of  conhicts  for 
which  security  has  been  maintained.  Secondly,  we  also 
assume  that  the  greater  the  difference  in  security  levels 
between  the  transactions  involved  in  the  conhict,  the  more 
important  it  is  to  maintain  security.  DMF  is  determined 
only  by  the  number  of  deadline  misses  in  the  past.  Note 
that  for  a  comparison  with  DMF,  (1  -  SF)  has  to  be  used, 
since  (1  -  SF)  is  a  measure  of  the  degree  to  which  security 
has  been  violated.  Now,  a  simple  comparison  (1  -  SF)  > 
DMF  is  not  enough,  since  different  systems  need  to  main¬ 
tain  different  levels  of  security.  Therefore,  we  dehne  two 
weighting  factors,  a  and  P  for  (1  -  SF)  and  DMF  respec¬ 
tively.  If  a  *  (1  -  SF)  >  P  *  DMF,  then  for  the  conhict 
under  consideration,  the  security  properties  are  more 
important  and  therefore  the  conhict  is  decided  in  favor  of 
the  transaction  at  a  lower  access  class.  If  the  opposite  is 
true,  then  the  transaction  with  higher  priority  is  given  pre¬ 
cedence.  Note  that  at  low  conhict  rates,  it  is  possible  to  sat¬ 
isfy  both  the  security  and  the  real-time  requirements 
simultaneously.  As  a  result  the  comparison  is  not  made 
until  the  DMF  reaches  a  certain  threshold  value 
DMISS_THRESH.  The  parameters  DMISS_THRESH,  a 
and  P  can  be  tuned  for  the  desired  level  of  security.  A  very 
high  value  of  DMISS_THRESH  or  a  very  high  value  of  a 
compared  to  P  would  result  in  SE  being  maintained  at  1 .0, 
i.e.,  for  all  conhicts  the  security  properties  are  satished.  A 
very  high  value  of  P  compared  to  a  would  result  in  an  SE 
value  of  0.0,  i.e.,  the  behavior  would  be  identical  to  that  of 
2PL-HP  [Abbo  92].  Eor  a  desired  value  of  SE  between  0 
and  1,  the  values  of  a,  P  and  DMISS_THRESH  would 
have  to  be  tuned  based  on  the  arrival  rate  of  transactions. 

The  adaptive  protocol  can  be  described  by  the  rules 
specifying  how  to  resolve  conhict. 

If  a  conhict  between  a  lock  holding  transaction  T  j  and  a 
lock  requesting  transaction  T2  arises,  the  conhict  is  settled 
using  the  following  rules: 


•  If  DMF  <  DMISS_THRESH 
then 

follow  the  steps  taken  by  the  Secure  2PL  protocol 

•  Else  If  a*(l  -SF)>^*  DMF 

follow  the  steps  taken  by  the  Secure  2PL  protocol 

•  Else 

break  the  conflict  in  favor  of  the  transaction  with 

the  higher  priority 

The  performance  results  of  the  adaptive  secure  2PL 
protocol  for  a  spectrum  of  security  factor  values  are 
reported  in  [Son  95]. 

6.  Conclusions 

In  this  paper,  we  have  presented  an  approach  to  sched¬ 
uling  transactions  to  improve  timeliness  in  a  secure  real¬ 
time  database.  The  performance  results  substantiate  our 
claim  that  an  adaptive  security  policy  that  sacrifices  the 
security  properties  to  some  extent  can  improve  the  dead¬ 
line  miss  performance. 

The  work  described  in  this  paper  is  more  a  direction  for 
future  research  than  a  concrete  solution  to  the  problem  of 
secure  real-time  concurrency  control.  There  are  a  number 
of  issues  that  need  to  be  looked  into.  Eirst  of  all,  a  proper 
characterization  of  the  bandwidth  of  a  covert  channel  that 
can  arise  given  a  particular  value  of  SE  needs  to  be 
derived.  Applications  might  express  a  desired  level  of 
security  in  terms  of  a  maximum  admissible  bandwidth  of  a 
potential  covert  channel.  Unless  there  is  a  way  of  deter¬ 
mining  to  what  extent  a  security  policy  satisfies  the  secu¬ 
rity  properties,  one  cannot  determine  whether  the  policy  is 
suitable  for  the  application  or  not.  We  have  investigated 
how  to  model  the  bandwidth  of  a  covert  channel,  based  on 
information  theory  which  is  concerned  with  the  possibility 
of  noise  degrading  the  fidelity  of  the  signal  being  trans¬ 
mitted  [Dav  95].  We  are  currently  pursuing  mechanisms 
to  control  the  bandwidth  (call  capacity)  of  covert  chan¬ 
nels. 

Secondly,  in  this  paper  we  have  considered  a  simple 
trade-off  between  deadline  miss  percentage  and  security. 
A  trade-off  could  also  have  been  made  between  alterna¬ 
tive  factors  depending  on  the  application.  Thirdly,  we 
have  restricted  ourselves  to  a  soft  deadline  system  with  no 
overload  management  policy.  It  would  be  interesting  to 
see  how  a  policy  to  screen  out  transactions  that  are  about 
to  miss  their  deadline  would  affect  performance. 

Einally,  in  this  paper,  we  have  restricted  ourselves  to 
the  problem  of  real-time  secure  concurrency  control  in  a 
database  system.  Some  of  the  other  issues  that  need  to  be 
considered  in  designing  a  comprehensive  real-time  multi¬ 
level  secure  database  system  (MLS/RTDBMS)  are  dis¬ 
cussed  in  [Son  93].  Various  types  of  MLS/RTDBMSs 
need  to  be  identified  and  architectures  and  algorithms 


developed  for  each  type  of  system.  Trade-offs  need  to  be 

made  between  security,  timeliness  and  consistency  on  a 

case-by-case  basis. 
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